IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Every services and containers should be able to protect their users and
limit the impact of security bugs thanks to the security syscalls
provided by seccomp and Landlock. The goal of these syscalls is to
improve security with additional restrictions. They are designed to be
safely used by unprivileged (and then potentially malicious) users.
Remove the now-redundant "seccomp" entry for nspawn.
(cherry picked from commit e9966634754b8c9ee3f3c579f25d938e185c282e)
Somebody wrapped the text, but whitespace is preserved in <programlisting>, so
the output was mangled. It also doesn't make sense to run systemd-path as root
(as indicated by '#'), so drop that. Also, this chunk should be a separate
paragraph.
(cherry picked from commit 1ca81b2e005ccef6e9ddf06c3e3441bae0a6e1d5)
I encountered this race condition while working on TEST-13-NSPAWN.varlinkctl.sh.
The long-running machine's init script sometimes does not have time to start and
register signals. As result, occasiounally failed tests.
(cherry picked from commit e826a8bed447f3b3f9ad487f96ab7f8c7620c75b)
Verity= is an image build concept, not a first boot concept, whereas
a partition designator is always available, so let's do the size stuff
based on that.
(cherry picked from commit e11745d000d7e9b3112bb336735c1bdfa77e9add)
Different device paths may resolve to same device node
(lookup_block_device()), e.g.
IOReadBandwidthMax=/dev/sda1 18879
IOReadBandwidthMax=/dev/sda2 18878
where both partitions resolve to /dev/sda and when these values are
applied (they are associated with original paths, i.e. as if applied for
different device) in the order from io_device_limits.
The parsing code prepends, so they end up in reverse order wrt config
file. Switch the direction so that the order of application matches the
order of configuration -- i.e. semantics in all other unit file
directives.
Apply same change to all directives that use per-device lists. (The
question whether partitions should be resolved to base device is
independent.)
And apply the changes equally to DBus properties write handlers.
Fixes#34126
(cherry picked from commit 0fa0dfa04465651a18107d503f9967f84bd761d1)
When removing a cgroup in unit_prune_cgroup(), read IO metrics to cache
them similar to the existing treatment of the CPU and memory usage data.
Note that we do not do this for the IP metrics as the firewall objects
are only destroyed in unit_free() and thus stay alive long enough to
be read out directly by all interested parties.
Fixes#26988.
(cherry picked from commit 17bbdefd8c49617d7596bbf708c818a9773a9b44)
The name of the parameter is misleading and it does not save us much
work because it is not used during regular unit property queries.
It is only used during unit_log_resources(), and the cgroup is already
dead by that point so it won't be read anyway.
(cherry picked from commit a0020ad84bb092fc72cde7dca5784a0a4e613fd7)
We generally do _not_ want the same sysexts to be loaded in both initrd and
exitrd phases. The environment is completely different and it's unlikely that
the same code can be useful in both places. Nevertheless, it can be useful in
_some_ cases, for example when the sysexts contains debugging tools.
I think we don't need to differentiate between initrds and exitrds through
SYSEXT_SCOPE, because the two types are made available in completely different
locations and loaded through a different mechanism, with very little chance of
an initrd being loaded as an exitrd without an explicit admin action (or the
other way around). So let's not complicate our code or definitions by an
explicit "exitrd" sysext designator, but just clarify that "initrd" also
encompasses exitrds in this context.
(cherry picked from commit 7352a0093f4ef96c361be22337cde3296d79da01)
The concept is fairly well established and present in our docs in various
places.
Say that the exitrd is also marked by the presence of /etc/initrd-release.
(cherry picked from commit ace26a511ff63dbc15f1b2b0b941cbd3294a288c)
This allows hacking on systemd without installing any build
dependencies except mkosi on the host machine.
(cherry picked from commit 6d862a9dc08285fffb9da29055235b5c9935dcf8)
dbff64ddf06f64ab94bd314df27d6c089b75de52 bumped the hash to
a commit after 24.3, so let's tell the users that 25~devel is
the minimum required.
(cherry picked from commit 3a157e7cb4b1ec6fb822a014d67161ecfee546a2)
When a network is busy, an ARP may be received before the timer event
source triggered first time.
Fixes#34489.
(cherry picked from commit 146b44d0a0001712ced2f22ca76d242eedac26ad)
Various tests skip themselves when running in a container so make
sure the test runs in a virtual machine so we get full coverage.
(cherry picked from commit f4faac20730cbb339ae05ed6e20da687a2868e76)
This breaks TEST-74-AUX-UTILS when run in a VM as the user gets access
to journal files that the test expects it can't access.
(cherry picked from commit 1d5b4317cd0140c043495f946e5352b188f3bec0)
When updating, I get a message like:
fatal: Not a valid object name a67221c3f0d0b81b9b5b3230a71d09044342f1a4^{commit}
The failure here is expected, it just means that an update is
necessary, so suppress output.
(cherry picked from commit 3f922abe49a14316aec87f8a8e2b0fe9ad4d5e52)
Currently, trying to boot images with type 1 entries generated by mkosi
with qemu freezes in the kernel EFI stub. I'm not going to pretend I
understand what's going on, but when I reported a similar problem with
UKIs, the fix was to rework the code in combine_initrds() in the stub
to behave like it does today. It seems that same fix was never applied
to systemd-boot's combine_initrds() function, so let's do that now to
fix the freezes I've been seeing trying to boot images with type 1 entries
in qemu.
(cherry picked from commit f8fa4222c9ac3e74e91c64e25e9532c99559cf99)
Force means force, we skip checks with PID1 for existing units, but
then bail out with EEXIST if the files are actually there. Overwrite
everything instead.
(cherry picked from commit 1e2d1a7202400e08a00782f32804fdc503259806)
In some cases (SUSE Tumbleweed) this is needed as a library (libz) is
not in the default path, so it fails to run.
(cherry picked from commit 1e17e48b96bb509754a0a11ea8bd0394965564c6)
login is now from util-linux so credentials are supported.
It also needs to be pulled in as it's Protected: yes rather than
Essential: yes.
Keep the old setting for Ubuntu as that still uses login from shadow.
(cherry picked from commit ec540290177ea208eafb6dfd49de2d9344bee4ce)
mksquashfs for some reason ends up in nss_systemd and mkfs.btrfs
links against libudev. The others don't need a sanitizer wrapper
script.
(cherry picked from commit 67b240f6b0babf99dce108d1e0f4e3b4b0cf3ec6)
Instead of parsing the human readable output of apt-cache, let's
use apt patterns to figure out the dependencies.
We also filter out virtual packages as apt will fail and say we need
to install an implementation of the virtual package even if a package
that provides the virtual package is already installed.
(cherry picked from commit 89c579788d1f864778c4d6f47b30bf37d04c4947)
Let's not just filter everything with systemd in the name, but instead
use the same list of volatile packages that we install to do the
filtering.
(cherry picked from commit 70ecdbfa230258ee88d3ed42ec8bbcd91e27bba3)
Supposedly they're never going to rewrite their git history again
so let's give src.opensuse.org another try given that code.opensuse.org
is down again.
(cherry picked from commit ffd76bdd9737484a3582c5f146f4f43318154b5c)
* a67221c3f0 Always build ukify package
* abb115a905 Do not use patch to modify systemd-user pam config file
* 196ec98228 Drop %upstream conditionalization for patches
(cherry picked from commit e921a8ad674c4a117ac217057b34fe53e5bb8066)
If the commit we're about to check out already exists in the local
repository, don't fetch from the remote repository.
(cherry picked from commit c5730846fe78518fb9fdabaedfd6f20eb5568582)
A relative path is not supported by rpm so let's make sure we specify
it as an absolute path.
(cherry picked from commit 71acb00c28a2d02fd582267a9bc263cd0ef9bd97)
